Vulnerability analysis and hacker intrusion prevention method of ASP website

Source: Internet
Author: User
Tags query servervariables sql injection sql injection attack access database backup

Author: pizzaviat
Source: Eighth Regiment

How to better achieve the prevention of hacker attacks, I mention personal views! First, the free program does not really have a fee, since you can share the original code, then the attacker can analyze the code. If you pay attention to precautions in detail, your site's security will be greatly improved. Even if there are vulnerabilities such as SQL injection, attackers will not be able to take your site immediately.

Due to the ease of use of ASP, more and more Web site background programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.
1, user name and password is cracked
Attack principle: User name and password, is often the most interesting thing to hackers, if the source code is seen in some way, the consequences are serious.
Prevention Tips: The user name and password procedures are best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.
2. Verification is bypassed
Attack principle: Now need to verify the ASP program is mostly in the page head plus a judgment statement, but this is not enough, there may be hackers bypass the verification of direct access.
Prevention tips: Need to verify the ASP page, you can track the file name of the previous page, only from the previous page into the session to read this page.
3, Inc. file leakage problem
Attack principle: When the ASP's home page is being made and no final debugging is done, it can be added as a search object by some search engine maneuver. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.
Precautions: Programmers should thoroughly debug a Web page before it is released; security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.
4, automatic backup is downloaded
Principle of attack: in some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example: UltraEdit will back up a. bak file, such as you create or modify the some.asp, the editor will automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so some.asp source The order will be downloaded.
Defensive tip: Before uploading a program, check it carefully and delete unnecessary documents. Be especially careful about files that are suffix to bak.
5. Special characters
Attack principle: The input box is a target that the hacker exploits, they can cause damage to the user's client by inputting the scripting language, etc. if the input box involves a data query, they can get more database data, even all of the tables, using special query statements. The input box must therefore be filtered. However, it is possible to bypass the validation of input legality only at the client side to improve efficiency.
 Prevention skills: In the processing of similar message boards, BBS, such as input boxes in the ASP program, it is best to shield off HTML, JavaScript, VBScript statements, if no special requirements, you can limit the number of letters and numbers, to block out special characters. The length of the input character is also limited. And not only in the client to enter the legality of the check, but also in the server-side program to do similar checks.

6. Database Download Vulnerability
How it works: When you use Access as a background database, it is dangerous to have someone who knows or guesses the path and database name of the server's Access database in a variety of ways.
Prevention Tips:
(1) Make a complex, unconventional name for your database file name and place it in a few layers of directory. The so-called "unconventional", for example, there is a database to keep the information about the book, but do not give it a "book.mdb" name, but to have a strange name, such as D34ksfslf.mdb, and put it in such as./kdslf/i44/studi/ , so it's even harder for hackers to get your Access database files in a guessing way.
(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:
DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open driver={microsoft Access Driver (*.mdb)};dbq= & DBPath
If you get a source program, your Access database's name is in a glance. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
Conn.Open "Shujiyuan"
(3) Use Access to encode and encrypt the database files. First in the "tools → security → encryption/decryption database," Select the database (such as: Employer.mdb), and then press OK, then the "Database encryption Save as" window, can be saved as: "Employer1.mdb."
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
Next we encrypt the database, first open the encoded Employer1.mdb, and when it is open, select Exclusive. Then select the function table "tools → security → Set database Password", and then enter the password. So even if someone gets the Employer1.mdb file, he can't see the contents of Employer1.mdb without a password.


7. Prevent remote injection attack

Such attacks should have been a more common form of attack in the past, post attacks, for example, allow an attacker to arbitrarily change the data value to be submitted for the purpose of the attack. Another example: The forgery of COOKIES, which is more worthy of the attention of the program writer or webmaster, do not use COOKIES as a way to authenticate users, Otherwise you and the key to leave the thief is the same reason.

Like what:

If trim (Request. Cookies ("uname")) = "Fqy" and Request.Cookies ("upwd") = "fqy#e3i5.com" Then
... more ..........
End If

I think you webmaster or like to write a program of friends do not make such a mistake, is really unforgivable. How many years have you been faking cookies, you can't blame someone else for running your password. When it comes to user passwords or when users log in, you'd better use session It's the safest. If you want to use cookies to add a message to your cookies, SessionID, its random value is 64 digits, to guess it, impossible. Example:

If not (Rs. BOF or rs.eof) then
Login= "true"
Session ("username" &sessionid) = Username
Session ("Password" & sessionID) = password
' Response.Cookies ("username") = Username
' Response.Cookies ("Password") = Password

Now let's talk about how to protect against remote injection attacks, the general attack is to drag the Tanku commit file to the local, the form action= "chk.asp" point to your server to process the data file. If all your data filters are on a single sheet, then congratulations, you will have been attacked by the script.

How can we stop such a remote attack? Okay, see the code is as follows: Program Body (9)

<%
Server_v1=cstr (Request.ServerVariables ("Http_referer"))
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME"))
If Mid (Server_v1,8,len (SERVER_V2)) <> Server_v2 Then
Response.Write "

Response.Write ""
Response.Write "You submitted the wrong path, prohibit the submission of data from outside the site please do not change the parameters!" "
Response.Write "

"
Response.End
End If
%>

' Personal feeling the above code filtering is not very good, there are some external submission unexpectedly still can come in upright, so write another.

' This is a good filtration effect and is recommended for use.

If InStr (Request.ServerVariables ("Http_referer"), "http://" &request.servervariables ("host") <1 Then Response.Write An error occurred on the server while processing the URL.
If you are using any means to attack the server, then you should be glad that all of your operations have been recorded by the server, we will be the first time to inform the Public Security Bureau and the National Safety department to investigate your IP. "
Response.End
End If

Program Body (9)

I thought this would be all right, add some restrictions on the form page, such as MaxLength, etc... But the weather is so not the case, the more you are afraid of what he is more and more. You don't forget that an attacker could limit the length of the input box in an SQL injection attack. Write a socket program to change the Http_referer? I won't. Published on the internet such an article:

------------Len.reg-----------------
Windows Registry Editor Version 5.00
[hkey_current_user\software\microsoft\internet explorer\menuext\ Extension (&e)]
@= "C:\Documents and settings\administrator\ desktop \len.htm"
"Contexts" =dword:00000004
-----------End----------------------
-----------len.htm------------------
  
----------End-----------------------

Usage: First import the Len.reg into the registry (note the file path)
Then copy the len.htm to the specified location in the registry.

Open the Web page, the cursor on the input box to change the length of the right button, see more than a call to expand the option

Click Finish! PostScript: The same can be used to deal with those restrictions on the content of the script.

What to do? Our limits.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.